switch to native breakpoints

2023-03-13 12:19:24 +01:00 · 2023-03-13 12:19:24 +01:00 · d118eeacbd
commit d118eeacbd
parent 57fc441118
3 changed files with 10 additions and 6 deletions
--- a/fuzzers/FRET/src/fuzzer.rs
+++ b/fuzzers/FRET/src/fuzzer.rs
@ -33,6 +33,7 @@ use libafl::{
 use libafl_qemu::{
    edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor,
    QemuHooks, Regs, QemuInstrumentationFilter, GuestAddr,
+    emu::libafl_qemu_set_native_breakpoint, emu::libafl_qemu_remove_native_breakpoint,
 };
 use rand::{SeedableRng, StdRng, Rng};
 use crate::{
@ -167,14 +168,14 @@ pub fn fuzz() {
        let emu = Emulator::new(&args, &env);

        if let Some(main_addr) = main_addr {
-            emu.set_breakpoint(main_addr);
            unsafe {
+                libafl_qemu_set_native_breakpoint(main_addr);
                emu.run();
+                libafl_qemu_remove_native_breakpoint(main_addr);
            }
-            emu.remove_breakpoint(main_addr);
        }

-        emu.set_breakpoint(breakpoint); // BREAKPOINT
+        unsafe { libafl_qemu_set_native_breakpoint(breakpoint); }// BREAKPOINT 

        // The wrapped harness function, calling out to the LLVM-style harness
        let mut harness = |input: &BytesInput| {
@ -276,7 +277,7 @@ pub fn fuzz() {
        let mut state = state.unwrap_or_else(|| {
            StdState::new(
                // RNG
-                StdRand::with_seed(RNG_SEED),
+                unsafe {StdRand::with_seed(RNG_SEED) },
                // Corpus that will be evolved, we keep it in memory for performance
                InMemoryCorpus::new(),
                // Corpus in which we store solutions (crashes in this example),
@ -492,7 +493,7 @@ pub fn fuzz() {
        let emu = Emulator::new(&args, &env);

        if let Some(main_addr) = main_addr {
-            emu.set_breakpoint(main_addr);
+            unsafe { libafl_qemu_set_native_breakpoint(main_addr); }// BREAKPOINT 
        }
        unsafe {
            emu.run();
--- a/fuzzers/FRET/src/systemstate/helpers.rs
+++ b/fuzzers/FRET/src/systemstate/helpers.rs
@ -93,7 +93,7 @@ fn trigger_collection(emulator: &Emulator, h: &QemuSystemStateHelper) {
    let mut systemstate = RawFreeRTOSSystemState::default();
    unsafe {
        // TODO: investigate why can_do_io is not set sometimes, as this is just a workaround
-        let c = emulator.current_cpu().unwrap();
+        let c = emulator.cpu_from_index(0);
        let can_do_io = (*c.raw_ptr()).can_do_io;
        (*c.raw_ptr()).can_do_io = 1;
        systemstate.qemu_tick = emu::icount_get_raw();
--- a/libafl_qemu/src/emu.rs
+++ b/libafl_qemu/src/emu.rs
@ -314,6 +314,9 @@ extern "C" {

    fn libafl_qemu_set_breakpoint(addr: u64) -> i32;
    fn libafl_qemu_remove_breakpoint(addr: u64) -> i32;
+    pub fn libafl_qemu_set_native_breakpoint(addr: u32);
+    pub fn libafl_qemu_remove_native_breakpoint(addr: u32);
+    
    fn libafl_flush_jit();
    fn libafl_qemu_trigger_breakpoint(cpu: CPUStatePtr);